The System i has been known to be a security rock. Three years ago the data center at the St. Paul-Minneapolis branch of Catholic Charities got hit with a major virus that shut down the whole network across three different sites. PCs, network lines and Microsoft servers got hit hard.
"But the iSeries kept on chugging," said Jim Storms, chief information office (CIO), Catholic Charities. "It was nice to know that the iSeries wasn't affected."
But according to a recent survey by System i security software company The PowerTech Group Inc., it isn't the hardware that's the problem. It's not even the software. The problem is the people. The survey looked at data from 177 security assessments on iSeries boxes over the last year. Among the findings:
- Ninety-five percent have more than 10 users with root authority, threatening data on the system.
- Seventy-seven percent have more than 20 users whose passwords are the same as their user names.
- Ninety-one percent don't control or audit changes made through PC access.
"AS/400 security projects often take a back seat to Windows and UNIX platform security, either because the AS/400 is assumed to already be secure, or because the security professionals in an organization are unsure how to assess the AS/400," the study indicated.
The PowerTech survey does not, however, include a random sample of iSeries shops. The companies in the study all requested security audits of their systems. PowerTech thinks this means they were auditing shops that were particularly security conscious, but also acknowledged that it could mean they audited a lot of shops that were "knowingly deficient."
Storms, for example, said that his five-person IT staff isn't big enough to warrant multiple stratifications of security and access to their System i boxes. The company is small enough that Storms said it becomes more a matter of trust.
"If you had an IT staff of 20 or 30 people, you would have to use more common sense," he said. "In a smaller IT staff, you have to weigh it in terms of trust, and they can be held accountable for their actions if they do something. If we were to double our staff and have 10 people, we would have to be more granular."
But Larry Bolhuis, vice president of Grand Rapids, Mich.-based Arbor Solutions Inc., a System i reseller, said that he has seen security guffaws firsthand, and they are not pretty.
Bolhuis recounted one situation where a customer of his needed help installing a program on a CD to access one of their freight companies to enter shipping orders and track them. A document on the CD had an IP address and a user ID, so Bolhuis dialed up to that IP address and, bingo, he had a sign-on screen to that freight company's production box. Not only that, but Bolhuis was able to log onto the system using the user identification (ID) and a default IBM password, and that user ID had root authority. In a few short moments, Bolhuis had managed to get into the system because password and other personnel security had been done poorly.
"There are many systems out there where the security isn't good enough to be called rotten. Not because of the I, but because of the lack of proper implementation," Bolhuis said. "Unfortunately, in most cases these things come to light when the horses are found to be missing and the barn door is rapidly slammed shut."
Let us know what you think about the story; e-mail: Mark Fontecchio, News Writer